| Age | Commit message (Collapse) | Author |
|---|
|
This also provides a pkey_security_bits member to the PKEY ASN.1 methods
and a corresponding setter EVP_PKEY_asn1_set_security_bits().
ok beck jsing
|
|
ok beck jsing
|
|
CID 24812
ok jsing@ millert@ tb@
|
|
This moves the struct internals for DH and DH_METHOD to dh_local.h.
ok inoguchi jsing
|
|
This marks the start of major surgery in libcrypto. Do not attempt to
build the tree for a while (~50 commits).
|
|
This implements checking of a public key and of key generation
parameters for DH and EC keys. With the same logic and setters
and const quirks as for EVP_PKEY_check().
There are a couple of quirks: For DH no default EVP_PKEY_check()
is implemented, instead EVP_PKEY_param_check() calls DH_check_ex()
even though DH_param_check_ex() was added for this purpose.
EVP_PKEY_public_check() for EC curves also checks the private key
if present.
ok inoguchi jsing
|
|
DH_check{,_pub_key}_ex() wrap their non-ex versions to translate
the flags argument of the original functions into OpenSSL errors.
For this almost a dozen new error codes need to be added.
DH_params_check{,_ex}() is a new version of DH_check that only
performs a cheap subset of the checks.
They are needed to implement EVP_PKEY_{public,param}_check()
(observe the consistent naming) although the actual implementation
of EVP_PKEY_param_check() chose to use DH_check_ex().
As far as I can tell, the only raison d'être of the _ex functions
and error codes is to spew them to stderr in a couple of openssl(1)
commands. This couldn't have been solved differently...
These functions will not be exposed publicly.
ok inoguchi jsing
|
|
|
|
it will be needed in the upcoming bump.
discussed with jsing
|
|
|
|
Will be needed by openssl(1) dhparam.
ok inoguchi jsing
|
|
These are accessors that allow getting one specific DH member. They are
less error prone than the current getters DH_get0_{pqg,key}(). They
are used by many ports and will also be used in base for this reason.
Who can remember whether the pub_key or the priv_key goes first in
DH_get0_key()?
ok inoguchi jsing
|
|
evp.h will be moved to evp_locl.h in an upcoming bump.
ok inoguchi
|
|
It makes no sense to allocate an entire BN_CTX if we only use it to
get a single BIGNUM, from which we subtract 1 to compare it to g.
We can just use a plain BIGNUM and delete a bunch of lines.
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation
for small subgroup attacks. This did not affect LibreSSL since we do
not support X9.42 style parameter files or RFC 5114.
The meat of this commit is from Matt Caswell, OpenSSL b128abc3
ok inoguchi jsing
|
|
BN_prime_checks is only to be used for random input. Here, the
input isn't random, so increase the number of checks. According
to https://eprint.iacr.org/2019/032, 64 rounds is suitable.
From Jake Massimo, OpenSSL 1.1.1, af6ce3b4
ok inoguchi jsing
|
|
simplifications and readability tweaks. This ensures in
particular that dh->q is suitable if present.
Based on work by Stephen Henson and Bernd Edlinger in OpenSSL.
Issues with the current implementation found via regression
tests in py-cryptography.
ok inoguchi jsing
|
|
Based on the version in OpenSSL 1.1.1l with minor tweaks.
ok inoguchi jsing
|
|
that will be used in subsequent commits.
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
ok jsing@ tb@
|
|
From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
by David Benjamin.
ok djm, jsing
|
|
ok bcook
|
|
While there, eliminate a flag that was only used once.
ok beck jsing mestre
|
|
ok beck jsing
|
|
|
|
ok beck jsing
|
|
freeing and indent nearby labels.
ok beck jsing
|
|
takes care of this internally.
ok beck jsing
|
|
Requires adding a const to the priv_decode() member of
EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode()
functions. All this is already documented this way.
tested in a bulk build by sthen
ok jsing
|
|
we can add const to PKCS8_pkey_get0(). In order for this to work,
we need to sprinkle a few consts here and there.
tested in a bulk by sthen
ok jsing
|
|
|
|
by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457)
and based on his diff. suggestions from tb@, ok tb@ jsing@
"During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a key
for this prime resulting in a hang until the client has finished. This could be
exploited in a Denial Of Service attack."
|
|
Reported by OndÅej Surý, LibreSSL-portable issue #92.
ok inoguchi, jsing
|
|
tested in a bulk by sthen
ok jsing
|
|
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
|
|
|
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key().
ok jsing
|
|
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
|
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
|
|
|
ASN1_item_{d2i,i2d}_* equivalents.
ok guenther@ miod@
|
|
ok beck@
|
